Privacy Policy

Maka Privacy Policy

Status: Draft — Requires Attorney Review

Effective Date: 2026-04-26

1. Introduction

Maka ("we," "our," or "Maka") is a scam detection service based in Honolulu, Hawaii. This Privacy Policy explains what personal data we collect, how we use it, and your rights with respect to it.

This policy covers:

  • The Maka browser extension
  • The Maka mobile app
  • The Maka website (usemaka.com)
  • The Maka API

By using any of the above, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

This policy is effective as of the date shown above.

2. Data We Collect

Account data

When you create a Maka account through Clerk (our authentication provider), we receive and store:

  • Email address — used to identify your account, send service communications, and allow account recovery
  • Subscription tier — one of: free, personal, family, business, or enterprise — used to enforce scan limits and billing entitlements
  • Stripe customer ID — a reference token linking your account to your Stripe billing record (not a payment credential)
  • Account creation date

Scan history

When you scan a social media profile through Maka, we record:

  • The profile ID that was scanned (for example, "facebook:john.doe")
  • A reference to your user ID (the scannedBy field), which links the scan to your account
  • Scan timestamps (when the scan was initiated and completed)
  • Daily scan counts for rate limiting purposes

This data constitutes personal data under GDPR because it is linked to your user ID.

Community reports

If you submit a report flagging a profile as a potential scam:

  • We store the profile ID reported
  • We store a reference to your user ID (if you are logged in) or record the report as anonymous
  • We store the reason text you provide (optional)
  • We store the timestamp of submission

Anonymous reports are stored without any user identifier.

Extension local data

The Maka browser extension caches score data locally in your browser using IndexedDB. This local cache:

  • Is stored only in your browser on your device
  • Is never transmitted to Maka's servers
  • Can be cleared by uninstalling the extension or clearing your browser's local storage

Payment data

Payments are processed by Stripe, Inc. We do not store your card number, bank account details, or other raw payment credentials. We store only:

  • Your Stripe customer ID (a reference token, not a payment credential)
  • Your current subscription status (active, canceled, or past due)
  • Your current subscription tier
  • The current period end date of your subscription

Usage data

We collect the following operational data for rate limiting and abuse prevention:

  • Number of scans performed per day
  • API usage counts
  • Date and time of API key last use

Data we do NOT collect

We do not collect:

  • The content of social media profiles (profile text, posts, messages, or images) — we pass a reference identifier to our AI service for analysis, but we do not store the underlying content
  • Private messages or communications of any kind
  • Precise geolocation data
  • Browsing history outside of scans you explicitly initiate

3. Data We Do NOT Collect or Sell

To be unambiguous:

  • We do not collect the content of social media profiles. We send a profile identifier to our AI processing service, but we do not store the text, images, or posts themselves.
  • We do not collect your private messages or communications on any platform.
  • We do not sell personal data to any third party, advertiser, or data broker — ever.

4. Public Profile Scores

Maka computes scam risk scores for publicly visible social media profiles. This data is about third parties, not about our registered users.

For each scanned profile, we store:

  • Profile ID — a platform-scoped identifier (e.g., "twitter:username")
  • Platform and username
  • Computed risk score (0–100) and risk level (safe, suspicious, scam, or unknown)
  • Detected signals — an array of behavioral/textual pattern identifiers that contributed to the score
  • Explanation text — a human-readable summary of why a score was assigned
  • Per-signal subscores — text, behavioral, image, and graph analysis components
  • Community report count — the number of reports submitted for this profile

Retention

Scan results have a built-in expiration and are refreshed when rescanned. Scan results are fully deleted 90 days after they are created. After deletion, no record of the score remains in our system.

Score subjects and their rights

If you are the subject of a Maka score and wish to request its removal, you may submit an appeal at usemaka.com/appeal. See Section 9 (User Rights) and our Appeal Process document for details.

The legal basis for processing publicly available profile data is legitimate interests (GDPR Article 6(1)(f)): detecting and warning users about scam activity serves a genuine consumer protection purpose that is not overridden by the privacy interests of public social media profiles.

5. How We Use Data

We use the data we collect for the following purposes:

  • Providing the Service — processing scans, returning scores, enforcing subscription limits, maintaining scan history
  • Rate limiting and abuse prevention — enforcing per-account and per-API-key daily scan limits; detecting coordinated manipulation of community reports
  • Billing and subscription management — processing payments, managing subscription status, preventing billing fraud
  • Improving scoring accuracy — aggregate, anonymized analysis of scan patterns to improve the accuracy and fairness of the scoring model (individual scan histories are not used for model training without separate consent)
  • Service communications — notifying you of material changes to these policies, subscription renewals, and account security events
  • Legal compliance — responding to lawful requests from government authorities; enforcing our Terms of Service

We do not use personal data for advertising, profiling for marketing purposes, or sale to third parties.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area, United Kingdom, or other jurisdictions where GDPR or equivalent law applies, we rely on the following legal bases:

| Processing activity | Legal basis |

|---|---|

| Creating and managing your account | Contract (Article 6(1)(b)) — processing is necessary to provide the Service you subscribed to |

| Processing payments | Contract (Article 6(1)(b)) — necessary to fulfill the paid subscription |

| Storing scan history linked to your account | Contract (Article 6(1)(b)) — necessary to provide scan history and enforce rate limits |

| Computing public profile scam scores | Legitimate interests (Article 6(1)(f)) — consumer protection and fraud detection; we have conducted a balancing test and determined this interest is not overridden |

| Fraud and abuse detection | Legitimate interests (Article 6(1)(f)) — protecting the integrity of the Service |

| Optional analytics on the marketing website | Consent (Article 6(1)(a)) — collected via cookie consent where applicable |

You may object to processing based on legitimate interests at any time by contacting privacy@usemaka.com.

7. Data Sharing and Third-Party Processors

We do not sell personal data. We share data only with the following processors who help us operate the Service:

Anthropic (AI processing)

When a scan is performed, we send the public profile's text content to Anthropic's Claude API for analysis. Anthropic processes this data as a data processor under its API terms of service. We do not send your personal account data to Anthropic — only the public profile content being analyzed.

Anthropic API Privacy: api.anthropic.com/privacy

Stripe (payment processing)

Stripe processes payment transactions and stores payment credentials on our behalf. We receive only a customer reference token and subscription status. Stripe is certified as a PCI DSS Level 1 Service Provider.

Stripe Privacy Policy: stripe.com/privacy

Clerk (authentication)

Clerk manages user authentication, session management, and account identity. Clerk stores your email address and session tokens on our behalf.

Clerk Privacy Policy: clerk.com/legal/privacy

Cloudflare (CDN and DDoS protection)

Cloudflare sits in front of our servers to provide content delivery, DDoS protection, and edge caching. Cloudflare may see your IP address and request metadata.

Cloudflare Privacy Policy: cloudflare.com/privacypolicy

No other sharing

We do not share personal data with any other third parties, including advertisers, analytics platforms (other than the privacy-respecting Plausible on our marketing site — see Section 13), or data brokers.

8. Data Retention

| Data type | Retention period |

|---|---|

| Account data (email, tier, etc.) | Retained until you request account deletion |

| Scan history (scannedBy records) | Retained until account deletion; underlying scan results deleted after 90 days |

| Scan results (scores, signals, explanation) | Expire after 24 hours (flagged for refresh); deleted after 90 days |

| Community reports | Retained for 2 years for abuse prevention and appeal purposes |

| API key hashes | Retained until revoked or account deleted |

| Subscription records | Retained for 7 years for financial and tax compliance purposes |

| Payment records (via Stripe) | Per Stripe's retention policy (typically 7 years) |

After a scan result is deleted, we retain no record of the score that was assigned to that profile.

9. Your Rights

Access

You may request a copy of the personal data we hold about you by emailing privacy@usemaka.com. We will respond within 30 days.

Deletion

You may request deletion of your account and all associated personal data by emailing privacy@usemaka.com. We will complete deletion within 30 days of your request, subject to legal holds (for example, financial records we are required to retain).

Portability

You may request an export of your scan history in JSON format. Contact privacy@usemaka.com or use the export feature in your account settings (if available).

Rectification

If any personal data we hold about you is inaccurate, you may request that we correct it by emailing privacy@usemaka.com.

Objection and restriction

You may object to processing based on legitimate interests or request that we restrict processing of your data in certain circumstances. Contact privacy@usemaka.com.

Score removal (for profile subjects)

If you are the subject of a Maka score on your own social media profile, you may request removal of that score via the appeal process at usemaka.com/appeal. This is a separate process from account-related data requests.

Opt-out of sale (California / CCPA)

We do not sell personal data. However, California residents may submit a formal CCPA opt-out request at privacy@usemaka.com.

10. California Privacy Rights (CCPA)

This section applies to residents of California.

Categories of personal data collected

| Category | Examples | Collected? |

|---|---|---|

| Identifiers | Email address, user ID | Yes |

| Commercial information | Subscription tier, purchase history | Yes |

| Internet or network activity | Scan history, API usage | Yes |

| Geolocation data | Precise location | No |

| Inferences | Scam risk scores (about third parties, not users) | No (about users) |

Your CCPA rights

  • Right to know — request disclosure of the categories and specific pieces of personal data collected about you
  • Right to delete — request deletion of personal data we hold about you
  • Right to opt out of sale — we do not sell personal data; this right is satisfied by default
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise your rights, email privacy@usemaka.com with the subject line "CCPA Request." We will respond within 45 days.

We do not sell personal information to third parties as defined under the CCPA.

11. Children's Privacy

Maka is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will delete it promptly.

If you believe a child under 13 has provided us with personal data, please contact privacy@usemaka.com.

Users between 13 and 18 may use the Service in a limited capacity (no API access). We recommend that minors obtain parental consent before using the Service.

12. Security

We take reasonable and industry-standard measures to protect personal data:

  • Encryption in transit — all communications between your browser/app and our servers use HTTPS (TLS 1.2 or higher)
  • Encryption at rest — our PostgreSQL database uses transparent data encryption (TDE)
  • API keys — raw API keys are never stored; we store only the SHA-256 hash of each key
  • Access controls — employee access to production data is restricted on a need-to-know basis
  • Dependency and vulnerability management — we apply security patches on a regular basis

No security measure is perfect. In the event of a data breach that affects your personal data, we will notify you as required by applicable law, and no later than 72 hours after becoming aware of the breach for GDPR-covered data.

13. Cookies and Local Storage

Browser extension

The Maka extension does not use browser cookies. It uses IndexedDB for local score caching. This data is stored entirely on your device and is never transmitted to our servers.

Marketing website

The Maka marketing website uses Plausible Analytics, a privacy-respecting analytics tool. Plausible:

  • Does not use cookies
  • Does not collect or store personal data
  • Does not fingerprint your browser
  • Complies with GDPR, CCPA, and PECR by design

We do not use Google Analytics, Meta Pixel, or any other third-party behavioral tracking or ad-targeting scripts on our website.

Authentication cookies

Our authentication provider (Clerk) sets session cookies on the Maka web app to maintain your logged-in state. These cookies are strictly necessary for the Service to function and are not used for tracking.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — changes that affect how we collect, use, or share your personal data in ways that differ substantially from this policy — we will:

  • Send an email notification to the address associated with your account; and
  • Provide at least 30 days' notice before the updated policy takes effect.

For minor clarifications and non-material edits, we will update the effective date and post the revised policy.

Continued use of the Service after the new policy takes effect constitutes your acceptance of the updated policy.

15. Contact

For questions, requests, or complaints about this Privacy Policy or our data practices, contact us at:

Email: privacy@usemaka.com

Maka

Honolulu, Hawaii

EU/UK users: if you are not satisfied with our response to a data protection complaint, you have the right to lodge a complaint with your local data protection authority.